On Sun, 2008-08-10 at 20:28 +0200, Dirk H. Schulz wrote:
Hi Robert,
--On 10. August 2008 13:56:22 -0400 Robert Spangler mlists@zoominternet.net wrote:
- snip -
OK, I don't know this tool you are using to syn the conntracking of all the firewalls. Could you post a link to it?
Yes, of course: http://www.netfilter.org/projects/conntrack-tools/index.html
Now for the fun stuff. Why would you have many Internet connection that do not return the same path they go out on? sounds like you really only have one true connection with one true IP to the Internet. That would explain why traffic leaving on interface 2 comes back on interface 1.
It is two routers that are connected to 2 upstream routers; all four use OSPFv2 for routing between them. I have not finetuned OSPF so far to avoid asynchronous routing - I want to to do the connection table synchronization stuff before because I have to do it anyway (in case of a router crash) and now I have an ideal testbed (because of the asynchronous routing).
Without knowing your setup I'm not going to guess at this.
The setup is as follows: Every Router has
- an external interface with public ip address each resting in a small
separate subnet that connects to the upstream router
- an interface for inter router connections (private ip addresses)
- 2 additional interfaces to server LANs - both routers have an interface
to both of the 2 server LANs both server LAN interface use shared virtual ips additionally
If you need more detailed information I could offer the OSFP configuration (XORP).
Here is the configuration for conntrackd (I have omitted buffer sizes etc.):
Sync { Mode FTFW { ResendBufferSize 262144 CommitTimeout 180 ACKWindowSize 20 } Multicast { IPv4_address 225.0.0.50 IPv4_interface 192.168.11.1 Interface eth1 Group 3780 } Checksum on CacheWriteThrough On } General { HashSize 8192 HashLimit 65535
- snip -
IgnoreTrafficFor { IPv4_address INTER_ROUTER_INTERFACE IPv4_address EXTERNAL_INTERFACE IPv4_address INTERNAL_INTERFACE1 IPv4_address INTERNAL_VIRTUAL_IP IPv4_address INTERNAL_INTERFACE2 }
IgnoreProtocol { IGMP VRRP }
The setup works - using "conntrackd -e" I can see the connection table entries the other router's conntrackd has synchronized. What I cannot check is if the receiving conntrackd writes the received entries into the kernels connection tracking table.
yum install iptstate iptstate Also: cat /proc/net/nf_conntrack
The doc says you must have kernel 2.6.18 or later. It looks like there are some iptables features that you can use that will not allow this to work. Are you in compliance with all of the dependencies listed in http://conntrack-tools.netfilter.org/conntrackd.html ?
Nataraj
Example:
udp 17 30 src=124.165.230.206 dst=93.94.81.82 sport=2040 dport=1434
[UNREPLIED] [active since 6s]
tcp 6 120 SYN_SENT src=93.185.115.91 dst=93.94.80.133 sport=4290
dport=135 [UNREPLIED] [active since 46s]
So I hope to find someone on the list have done this kind of setup before.